Page 1 of 1

Best way to authenticate users.

Posted: Fri Jan 05, 2007 1:51 am
by wildwobby
What is the best way to authenticate users? Is is bad practice to use IP adresses as part of the authentication? What should be done to ensure login is secure?

Posted: Fri Jan 05, 2007 2:47 am
by Kieran Huggins
IP's change all the time, they're completely unreliable.

Username and password is the standard for a reason ;)

Posted: Fri Jan 05, 2007 4:48 am
by R@mzes
hi, I think that article can help you. Try to :)

Authorization on PHP

Posted: Fri Jan 05, 2007 5:50 am
by onion2k
Kieran Huggins wrote:IP's change all the time, they're completely unreliable.
For normal users that's true, but if you're writing a system that's going to be used either on an internal network with static IPs, or accessed by business users behind a static IP, then locking users down to a specific IP address and only authenticating them if they're logging in from that location is a very sensible addition to a username and password system. It's another barrier to unauthorised users, and one that's completely transparent to proper users. That can only be a good thing.

Posted: Fri Jan 05, 2007 8:53 am
by feyd
Just be careful when using IP based locking. If the business client does move IPs their access will likely be locked. Likely resulting in frantic calls from them, and possibly them losing money.

Just be careful how you use it.

Posted: Fri Jan 05, 2007 9:17 am
by Kieran Huggins
maybe use a cookie & IP to auto login... if one changes / is absent, demand a full login.

Not very secure though... but people save logins in their autocomplete anyway...

Posted: Fri Jan 05, 2007 9:53 am
by wildwobby
Thanks guys...

I've heard of people somehow getting a 'key' that grants them access for 1 page, then on the next page genereates a new key provided it hasn't timed out. I know you should also give a 15 sec. grace period to the old key in case a user double-clicking a link or somethin and doesnt in-advertantly log them selves out.

How would that be done though?

Seems like a very secure method to me.

Posted: Fri Jan 05, 2007 9:57 am
by feyd
Call the key generation code again. Whatever the key happens to be.

session_regenerate_id() is used many times, however it's probably not the best to regenerate it on every request, that's a bit excessive.

Posted: Fri Jan 05, 2007 10:28 am
by wildwobby
A'ight.

Thanks Feyd.

When should I use it though? If I shouldn't use it on every page, what pages are it most important for? Login page? content pages? randomly (like only have it renew it if a random number between 0 and 1 is 0) per page...

Thanks for the help

Posted: Fri Jan 05, 2007 10:49 am
by feyd
It's important to regenerate the id when moving across security boundaries. For example, from not logged in to logged in; from basic pages to administrative pages; from basic pages to user setting pages. If allowed I, personally, also require logging in again at these transitions.

Basically I place them wherever one moves up a security layer.

Posted: Fri Jan 05, 2007 4:25 pm
by raghavan20
wildwobby wrote:Thanks guys...

I've heard of people somehow getting a 'key' that grants them access for 1 page, then on the next page genereates a new key provided it hasn't timed out. I know you should also give a 15 sec. grace period to the old key in case a user double-clicking a link or somethin and doesnt in-advertantly log them selves out.

How would that be done though?

Seems like a very secure method to me.
can you explain this 15sec grace period you are talking about as i am not aware of this?